OS / Linux - Executable and Linkable Format (ELF)

Card Puncher Data Processing

About

The Executable and Linkable Format (ELF, formerly named Extensible Linking Format), is a object file format (executable files and shared libraries) used also for core dumps.

Format

Elf

The format of an ELF follows the structure of the object file format.

A program is divided into sections and uses principally the following:

  • .text for code (read-only),
  • .data for data (read-write),
  • .bss for uninitialized data (read-write);

A program must have at least .text section.

Section

A section is a block of memory that contains either program code or data.

Section Type executable by the CPU Desc
code yes
.data no for storing data
.bss no for storing program data
debug no
  • Sections
# Header
fileName: file format elf64-x86-64
# Series of disassembled sections
Disassembly of section .interp:
...
Disassembly of section .note.ABI-tag:
...
Disassembly of section .note.gnu.build-id:
...
...
etc

  • Row in section
# Row in section with three columns
4004d6: 55 push rbp
# Row in section with an optional fourth column for comment
lea r12,[rip+0x2008ee] # 600e10 <__frame_dummy_init_array_entry>

where:

  • 0x4004d6 is the address of an assembly instruction.
  • 0x55 is the assembly instruction in raw hex values.
  • push %rbp is the assembly instruction in text values in a .text section (the assembly instructions are actual program code). In a .data section, this information is meaningless.
  • An optional fourth column is a comment that appears when there is a reference to an address to inform where the address originates. Example: the referenced address from [rip+0x2008ee] is 0x600e10, where the variable __frame_dummy_init_array_entry resides.

Text Section

Example of text section with two functions:

  • _start
  • and deregister_tm_clones.
00000000004003e0 <_start>:
4003e0: 31 ed xor ebp,ebp
4003e2: 49 89 d1 mov r9,rdx
4003e5: 5e pop rsi
...more assembly code....
0000000000400410 <deregister_tm_clones>:
400410: b8 3f 10 60 00 mov eax,0x60103f
400415: 55 push rbp
400416: 48 2d 38 10 60 00 sub rax,0x601038
...more assembly code....

where:

Management

See

Documentation / Reference





Discover More
Card Puncher Data Processing
Assembly - Getting Started

An Assembly language script is the input expected by an assembler (compiler). The assembler defines then the precise syntax of the script but every assembler share a common set of syntax rule. In...
Card Puncher Data Processing
Assembly - The Netwide Assembler (nasm)

nasm is an assembler that will compile assembly code in machine instruction. . More see where: -f option specifies the file format of...
Linux - Shared Library (so, sl)

so means shared object file and are shared library in Linux There format is the Executable and Linkable Format. As Shared Library, so files are open file opened by a process. The shared library extension...
Binary Section
OS - Object File

An object file is an specific operating system format that packages an object code with related metadata to create: executable files (native image) or libraries (shared or static) There is several...
Process States
Process - (Core|Memory|System) dump

A core dumps is the content of the working memory of a process at a specific time, generally when: the process has crashed or otherwise terminated abnormally. A core dump represents the complete...
Process Explorer Windows Executable
What is a Native Image / Executable File / Program ?

An executable file is file (also known as an image) used to create a process (ie an executable instance of this file) An OS executable file has the format of a object file generated by a compiler. See...
Card Puncher Data Processing
objdump

is a disassembler that displays information object files. It is mostly used for inspecting assembly code where the following options: d (Default) only displays assembled contents of executable...



Share this page:
Follow us:
Task Runner